MA-149.022009: MyCERT Special Alert - The Microsoft Excel Invalid Object Vulnerability 1.0 Introduction Microsoft Excel is a spreadsheet application by Microsoft. It features calculation, graphing tools, pivot tables and macro programming language called VBA (Visual Basic for Applications). 2.0 Vulnerability description The Microsoft Excel invalid object vulnerability is rated as critical because it can allow an attacker to perform remote code execution on an affected system in the eventuality of a successful attack. Attacks against the security flaw generated by a boundary condition error have initially been reported by security company Symantec. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. 3.0 Software affected Microsoft Office Excel 2000 Service Pack 3 Microsoft Office Excel 2002 Service Pack 3 Microsoft Office Excel 2003 Service Pack 3 Microsoft Office Excel 2007 Service Pack 1 Microsoft Office Excel Viewer 2003 Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac
4.0 Solutions and workaround Reference |
